AnsweredAssumed Answered

Netwitness: Scan attachment for specific text

Question asked by RSA Admin Employee on Aug 9, 2013
Latest reply on Aug 10, 2013 by RSA Admin

Good afternoon,

 

I'm tring to get Netwitness to scan an attachment, in an email, for a specfic value and fire a custom alert. For example, I would like to scan a document file attached to an email, containing the word "test".

 

I've tried variations of the following to no success;

service = '25' && attachment ends 'doc' && content contains test

service = '25' && content contains test

content contains test

 

For the testing of these rules I created a .doc file with the word test inside and sent it across the monitored wire to my web mail. I found the email under meta tagged as service 25 though it did not fire the custome rule alert.

 

I think the rule is searching the email content for test instead of the attachment.

 

Thank you for any assistance!!

Outcomes